Valery --
I am not sure if this is your problem also but I can not get
http://cert.vrn.ru/crl/main.crl however I can get
http://proxy.vrn.ru/crl/main.crl I would make your DP point to that.
Ryan
-----Original Message-----
From: Valery [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 27, 2001 1:35 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Please help me!
Hello Ryan!
Thank you very much.
I have added the line in the Certificate Extensions section of my
openssl.cnf file:
crlDistributionPoints=URI:http://cert.vrn.ru/crl/main.crl
and then I made some certificates with this extensions.
Such certificates have the following value of CRL Distribution Points:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://cert.vrn.ru/crl/main.crl
I suppose it's ok at this step.
But the next step... It's not clear for me.
MS Outlook Express tries to check if the certificate has been revoked or
not, but it says "The digital ID has not been revoked or revocation
information for this certificate could not be determined."
The CRL has been made with the following command:
openssl ca -gencrl -out crl.pem -config openssl.cnf passin pass:****
Then I copied crl.pem file into appropriate directory of my web server and
rename it(file) to main.crl
I made certificate, then revoked it for testing, and then made a CRL as I
wrote above.
Have I made a mistake? Why MS Outlook Express does not say me that the
certificate has been revoked?
Yours sincerely,
Valery
E-mail: [EMAIL PROTECTED]
----- Original Message -----
From: "Ryan Hurst" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 26, 2001 10:15 PM
Subject: RE: Please help me!
> Valery --
>
> This field in a certificate points to where the issuer will make its
> certificate revocation list available. If you are using OpenSSL or OpenCA
> (based off of OpenSSL) to issue your certificates you will want to
probably
> put up a web server or LDAP capable directory where you can make your
> certificate revocation list available; refer to the absolute URL for this
> list in this extension. You may also want to include an AIA
> (authorityInformationAccess) extension as well, this can point to a OCSP
> responder capable of responding with individual certificate statuses.
>
> The Microsoft platform implements its revocation handling in a library
> called cryptnet.dll; this supports all the transports that WinInet
supports
> (http/s,ftp,ldap/s,file). When the CryptoAPI applications that use
> revocation checking (Outlook can be configured to do this and in Office XP
> it is the default behavior), cryptnet will attempt to retrieve the CRL
> specified in this extension and use it for revocation checking. There are
> also alternate revocation providers available windows that implement
> additional protocols (OCSP, SCVP, CRL, CRLdp); ValiCert produces one such
> provider.
>
> I hope this helps.
>
> Ryan
>
> -----Original Message-----
> From: Valery [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 26, 2001 1:12 AM
> To: [EMAIL PROTECTED]
> Subject: Please help me!
>
> Hello!
> I used the certificate extensions "crlDistributionPoints" in my
openssl.cnf
> file.
> And I faced the following problem.
>
> What should I indicate in thihs field (crlDistributionPoints)?
>
> I need that MS Outlook Express checks if the certificate has been revoked
or
> not when it is on-line? What do I need to do?
>
> Yours faithfully,
> Valery
> E-mail: [EMAIL PROTECTED]
>
>
>
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
